Technical Tip: A basic guide to FortiNAC device processing
Description
This article explains how FortiNAC processes unknown devices (Rogue Hosts) in an easily understood manner.
Scope
FortiNAC, FortiNAC-F.
Solution
FortiNAC is a Fortinet solution aimed at managing access control to internal networks. It does this by monitoring network infrastructure like switches and access points, detecting connecting devices, and controlling what access those endpoints have to the larger network.
This article touches on the following components:
| Endpoint device | Network device | Agent | FortiNAC |
| The unknown device (Rogue Host) connecting to a monitored network device. | The network device monitored by FortiNAC, typically a switch, access point or router. | The Persistent/Dissolvable/Passive Agent running on the endpoint. | The Fortinet solution monitoring the network and controlling access to it. |
 |  |  |  |
- An unknown endpoint (Rogue Host) connects to a monitored network device like a switch.
- The network device informs FortiNAC, or FortiNAC otherwise discovers the Rogue Host.
Note: At this point, the Rogue Host is typically moved to an isolation/registration VLAN before FortiNAC proceeds further. The isolation/registration VLAN may host a captive portal to allow users to register and provide information FortiNAC can then use for further decisions. - FortiNAC profiles the endpoint to determine what it is.
- If the endpoint has an agent running (Persistent, Dissolvable or Passive), the agent provides FortiNAC with information about the endpoint.
- If the endpoint does not have an agent running, FortiNAC determines the device type from other information like what traffic it generates.
- If the endpoint has an agent running (Persistent, Dissolvable or Passive), the agent provides FortiNAC with information about the endpoint.
- FortiNAC matches the endpoint to a User/Host Profile (UHP).
Note: This may involve applying Endpoint Compliance Policies (ECP) like enforcing up-to-date AntiVirus software. The endpoint is reassessed after an Endpoint Compliance Profile has been applied, and may match a different User/Host Profile. - FortiNAC matches the endpoint into a Network Access Policy (NAP) based on the User/Host Profile and other criteria like the network device the endpoint is connected to.
Note: Network Access Policies are checked sequentially (similar to firewall policies in FortiGate) until a match is found. The matching Network Access Policy assigns the endpoint to a logical network. This is mapped to a specific VLAN in the model configuration of the network device. - FortiNAC informs the network device what VLAN to move the endpoint to.
- The network device sets the correct VLAN and the endpoint can access resources in that VLAN as appropriate.
- FortiNAC continually monitors the network for possible changes, using methods like SNMP traps or API queries.
- If FortiNAC detects a change in an endpoint, the endpoint is reevaluated from step 4.
Related documents:
- FortiNAC-F Administration Guide: What's new.
- Technical Tip: An example of a simple network deployment of FortiNAC with FortiGate/FortiSwitch
- Technical Tip: Comprehensive guide for a simple FortiNAC deployment
- Technical Tip: FortiNAC Guest Captive Portal configuration and workflow
- FortiNAC-F Administration Guide: Device Profiling.
- FortiNAC-F Administration Guide: Portal Workflow.